Ben Laurie blathering

Anyone who has not had their head under a rock knows about the DigiNotar fiasco.

And those who’ve been paying attention will also know that DigiNotar’s failure is only the most recent in a long series of proofs of what we’ve known for a long time: Certificate Authorities are nothing but a money-making scam. They provide us with no protection whatsoever.

If the plan works, consumers who opt in might soon be able to choose among trusted third parties â€” such as banks, technology companies or cellphone service providers â€” that could verify certain personal information about them and issue them secure credentials to use in online transactions.

Does this sound familiar? Rather like “websites that opt in can choose among trusted third parties – Certificate Authorities – that can verify certain information about them and issue them secure credentials to use in online transactions”, perhaps? We’ve seen how well that works. And this time there’s not even a small number of vendors (i.e. the browser vendors) who can remove a “trusted third party” who turns out not to be trustworthy. This time you have to persuade everyone in the world who might rely on the untrusted third party to remove them from their list. Good luck with that (good luck with even finding out who they are).

What is particularly poignant about this article is that even though it’s title is “Online ID Verification Plan Carries Risks” the risks we are supposed to be concerned about are mostly privacy risks, for example

people may not want the banks they might use as their authenticators to know which government sites they visit

and

the government would need new privacy laws or regulations to prohibit identity verifiers from selling user data or sharing it with law enforcement officials without a warrant.

Towards the end, if anyone gets there, is a small mention of some security risk

Carrying around cyber IDs seems even riskier than Social Security cards, Mr. Titus says, because they could let people complete even bigger transactions, like buying a house online. â€œWhat happens when you leave your phone at a bar?â€ he asks. â€œCould someone take it and use it to commit a form of hyper identity theft?â€

Dude! If only the risk were that easy to manage! The real problem comes when someone sets up an account as you with one of these “banks, technology companies or cellphone service providers” (note that CAs are technology companies). Then you are going to get your ass kicked, and you won’t even know who issued the faulty credential or how to stop it.

And, by the way, don’t be fooled by the favourite get-out-of-jail-free clause beloved by policymakers and spammers alike, “opt in”. It won’t matter whether you opt in or not, because the proof you’ve opted in will be down to these “trusted” third parties. And the guy stealing your identity will have no compunction about that particular claim.

This entry was posted
on Monday, September 19th, 2011 at 15:50 and is filed under Identity Management, Security.
You can follow any responses to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

4 Comments

Does this sound familiar?

It does, but an important (or at least interesting) difference my lie buried under the familiar surface. If consumers choose the third party and service providers rely on the credentials issued by various third parties, the trust relationships change compared to what we are familiar with from SSL. With SSL, the burden of trust is with the users; with OpenID it seems tho shift to the service providers. I suspect this may change the security economics, for the worse or for the better.

Aren’t you collaborating with Comodo, a CA, on PKIX CAA? Do you think that will fix it? DANE looks like a much more general solution, and I don’t trust Comodo to do anything but further their commercial interests. Plus, CAA doesn’t mandate DNSSEC authentication.